Saturday, February 27, 2010

The version of Nokia's Share Online application that shipped with my E71 has a problem. I was trying to upload photos from Berlin over O2 Germany's data network to my Flickr account, and it unexpectedly returned an authentication error; I looked at "your recent photos and videos", and got photos belonging to Flickr user mrspin, then from three others. Actually, I get another user every time.

I could reach my Flickr page via the web browser. The problem is not O2.de or roaming-specific; it happens here in the UK as well. What I think is happening is something like this: 3UK is using a lot of NAT in its data network, as mobile operators often do, and something about Share Online doesn't handle this well. Specifically, I reckon it's using the device IPv4 address as part of an identifier - as the addresses in 3UK's netblock are rapidly being reused for other users, it may be possible for someone else to log in using IP address x.x.x.x, and then a request from me to be bound to the wrong account.

Oddly, the browser isn't affected. I suspect, therefore, that Share Online is doing some sort of weird magic rather than just using the DNS and Flickr's own authentication mechanism - perhaps it doesn't resolve flickr.com every time, or honour the Flickr cookie correctly? After all, a Web authentication mechanism should cope with the same user logging in from multiple IP addresses. That should be obvious.

Fortunately, when I tried to write to the account, the authentication failed - as it should do, as I was trying to log in to the wrong account. This suggests that Share Online doesn't actually resolve flickr.com/yourname for read-only, but instead caches replies matched with IP addresses somewhere in the network. As mobile operators reuse IP addresses a lot, and use non-routable (RFC-1918) addresses which aren't globally unique a lot inside their networks, this is a really bad idea. Something is obviously cached, as the problem persists from my own WLAN as well.

I suspect that this used to work because the percentage of a typical operator's IP address space that was actually used was low, and therefore there was a good chance that the same address wouldn't be used for the same application before the cache expired. Now this is no longer true.

There appears to be a new version of the application out, so will try and let you know.

I don't yet know if I can, for example, see content marked as "private" from other users, or of course if they can see mine.